Overview

overview

10

Static

static

3

7fedcec3a3...32.exe

windows7-x64

7

7fedcec3a3...32.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

3

NSIS.exe

windows10-2004-x64

10

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

3

resources/elevate.exe

windows10-2004-x64

3

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...IS.exe

windows7-x64

7

$R0/Uninst...IS.exe

windows10-2004-x64

7

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NSIS.exe

  • Size

    180.1MB

  • MD5

    bd4906b9305afec35a88a3387bcb9fac

  • SHA1

    1d32e6f1c6ba770c3b2625d0241be0f2d4581b5d

  • SHA256

    a674229c90366a8300ad63c8ae675c2bc1c12307bccb00ae818dfa67c1955bf5

  • SHA512

    40966c176eaf9e025597599cb99532b3c36c3e72bcf991b95a450eb26f663b61a79933d741cce807e18c198239e3c49973189e9eb2cdbaf4b29115a6c25ff09a

  • SSDEEP

    1572864:1wl41lgY+w9QLv1JWYc6UeOtUUGQUT1jdu4BPPuuwT2GOqiB1sr7zjg7ob753oUV:rF4oD0QdG09P

Score
10/10
remcosremotehostdiscoveryexecutionransomwarerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.42.12.39:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    jesusapt

  • mouse_option

    false

  • mutex

    JESUSAPT-7R4T5W

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NSIS.exe
    "C:\Users\Admin\AppData\Local\Temp\NSIS.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Users\Admin\AppData\Local\Temp\NSIS.exe
      "C:\Users\Admin\AppData\Local\Temp\NSIS.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\NSIS" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1760,i,10552390151535195668,4671381024149473269,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1752 /prefetch:2
      2⤵
        PID:4836
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\Admin\AppData\Local\Temp\NSIS.exe';$s.Save()""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\Admin\AppData\Local\Temp\NSIS.exe';$s.Save()"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3624
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:736
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4240
          • C:\Windows \System32\winSAT.exe
            "C:\Windows \System32\winSAT.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3248
      • C:\Users\Admin\AppData\Local\Temp\NSIS.exe
        "C:\Users\Admin\AppData\Local\Temp\NSIS.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\NSIS" --field-trial-handle=2020,i,10552390151535195668,4671381024149473269,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2012 /prefetch:3
        2⤵
          PID:2032
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4964
            • C:\Windows \System32\winSAT.exe
              "C:\Windows \System32\winSAT.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:4328
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; $BginfoPath = Join-Path $TargetPath 'Bginfo.exe'; Start-Process -FilePath $BginfoPath -ArgumentList '/NOLICPROMPT /timer:300' -WorkingDirectory $TargetPath -WindowStyle Hidden; }"
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2112
                • C:\Users\Admin\AppData\Roaming\MyElectronApp\Bginfo.exe
                  "C:\Users\Admin\AppData\Roaming\MyElectronApp\Bginfo.exe" /NOLICPROMPT /timer:300
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Sets desktop wallpaper using registry
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Modifies Control Panel
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:924

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        6cf293cb4d80be23433eecf74ddb5503

        SHA1

        24fe4752df102c2ef492954d6b046cb5512ad408

        SHA256

        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

        SHA512

        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        a2b24af1492f112d2e53cb7415fda39f

        SHA1

        dbfcee57242a14b60997bd03379cc60198976d85

        SHA256

        fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

        SHA512

        9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        4413676298a83381b1c41cfd14dad64c

        SHA1

        8d12447796d5230068e5920eb3f8c2c74d9b766b

        SHA256

        c73e90d25c5791493c50e603b9ebbb7372580971262f7804c1f3641020edc82a

        SHA512

        2e0d672d307ab5c0a821a4959c57e4c9012059cee19ef696dd02480c9b3cc6b8ab9eade3c531b485af47c077f10b7e30894770f501322274d918b00e9af1ad07

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        eaf415628ac7d30994e9eecdcc2eb805

        SHA1

        2cc356663169f3b9e27989570ef48e6bd9388007

        SHA256

        2d0aab9b599f27b06a3b16ff474a5d843146cd58061fc8b327829ebf5df7cd93

        SHA512

        844534cd2c90c0b53d5bf573825afaf441446e1b04cdfc9c06bc24a2f542663bc79f3b8edc5590dc04d6758fd06e09bc837884e71e64455b1cc98adb993c7693

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2nu4vd2s.0g2.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MyElectronApp\Bginfo.exe
        Filesize

        2.1MB

        MD5

        3aef228fb7ee187160482084d36c9726

        SHA1

        8b76990c5061890c94f81f504c5782912a58d8a6

        SHA256

        c885df88693496d5c28ad16a1ecde259e191f54ad76428857742af843b846c53

        SHA512

        e659a7cf12c6b41879e4ce987e4cd1cefce2ffc74e06817667fa833764f36f25cc5f8374dbc844b68b787acac011c7b8c8f2b74563bf8a96f623ebb110a593da

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MyElectronApp\VERSION.dll
        Filesize

        256KB

        MD5

        b9c1e07b4b2eda5d3650acad008b8374

        SHA1

        5f193013d0f9caa41e1a1b2441e5e969315803c7

        SHA256

        a94785c2269da10bc56b8b2d526e6028b22d62d0961db3129abc0208416c119e

        SHA512

        67effa650ceb69afbe040385f017f22ba270ab04ab7cf9ab5b2a64f4d0ecb6d6f29809bd49ee9c9f0ad42d9bfbab595f213fb276259d62f8c48d97431afd0708

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MyElectronApp\data.bin
        Filesize

        467KB

        MD5

        71ee48d05dcaaf3edc86c7a8ddc7cfd8

        SHA1

        9448dae20207994597047d2796f3e237ca76b287

        SHA256

        4776212795ca4946fa4aad57df8ee4fb4a4d966cf23fba6a47ac18b3d8b73b52

        SHA512

        814b4456a04d07662888bf35d5f6d40b2cc5938d9ebf77f597d113ef2cad62c6baae9ed9c36765f8da4fb37a848443a29632f090ad42daa50ad44ea766a138c1

        Download Submit

      • C:\Windows \System32\VERSION.dll
        Filesize

        235KB

        MD5

        92b547fb6a5e079a00955b13e67e415b

        SHA1

        28eafa6cddc0cd132b3ab1cd4c00a0a7c8a04014

        SHA256

        75a0725e4560801b81b0cc9a35a805012403072ebce5f70500c2435b6e128056

        SHA512

        1f764832690bc718c798f30250977d6a38d47e6093cbc2ca1bc7665386c4fdc55decbd324302f59aad15238ec9f8ac3ef7df5cc85e090309aaf2782b36220471

        Download Submit

      • C:\Windows \System32\version.dll
        Filesize

        221KB

        MD5

        66de65d980d40f3aaac3da64be631a91

        SHA1

        e9db45421829aadf312ee888f5340ade4545af89

        SHA256

        1cb9fcc2d76f51dbd08d58209c3e732b1abd0c1c0a3760d95374c68c890ff010

        SHA512

        fa8bc38b7c5d663497c1798a292d75f768d528cfe272f23c1cc3a4cdae80229772832bd45b54d2ce1815d347c941371eb87b84dcc794eaae515109f5b71f2fb4

        Download Submit

      • C:\Windows \System32\winSAT.exe
        Filesize

        2.7MB

        MD5

        715db53a8064c6deccf68b7501df3386

        SHA1

        99acd12c3600ad3a7c478e49126db520bc136304

        SHA256

        cc31fdcdce05144ef750b01233d57614cda7364a73ca26ff68886ebdc650e367

        SHA512

        9ba9eaefa1e2e4da2d14f12b81f2ed0597ab6eb6b32d85851b69bc86d77a6b38810a04aa35ffcbf64484d544f52960f05f4eaca4740cd3674a1d09d8b373ce3c

        Download Submit

      • C:\Windows\Performance\WinSAT\winsat.log
        Filesize

        893B

        MD5

        3ade185b4a2d5a01ce656b7cf41cb564

        SHA1

        c3046dbf2667bd5076f39a6a7cc7694f7074ff51

        SHA256

        89b0f5792d25eb3f685b768d23cacf307ed76dfcae20d08c15eb3ed1c4f8fa9f

        SHA512

        0cb41a47210933d5c6c23e64e0782c6e28bcced26d5998332bcb3b05aae4128efc37b768888bcf2cd88a997a7b1db8b0885c19c3fd98bae4bb71e651938e099e

        Download Submit

      • memory/924-105-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-104-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-97-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-98-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-101-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-102-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-103-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-96-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-116-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-106-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-111-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-112-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/924-113-0x0000000002A00000-0x0000000002A7D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/4240-24-0x0000018DC3D50000-0x0000018DC3D72000-memory.dmp

        Filesize

        136KB

        Download